15
How SSO Works Traffic to Legacy Application is routed through the Gateway. Gateway is deployed as a web app protected by the OpenAM agent. OpenAM agent is configured to pass user identifying headers to the Gateway. Gateway filters are configured to intercept the Legacy application login pages. When a login or timeout page is processed, the user is logged in with credentials passed from the OpenAM agent or by looking them up in an external database or vault. Gateway optionally manages, filters, or transforms, cookies, headers, and general application content. OpenAM Legacy Identity Gateway Agent

16
How Federation Works Traffic to Legacy Application is routed through the Gateway. Gateway is deployed as a web app or standalone java application. Gateway is configured as a SAML2 endpoint in a Circle of Trust with the WAM. Gateway filters are configured to recognize Legacy application login pages. When the Gateway sees a login or timeout page, an SP initiated SAML2 AuthN request is sent to the WAM. Upon receiving and processing the assertion, the Gateway logs the user in with credentials from the assertion or by looking them up in an external database or vault. Gateway optionally manages, filters, or transforms, cookies, headers, and general application content. Web Access Management SAML2 Web Access Management SAML2 Legacy Federation Identity Gateway Federation Identity Gateway